SIEM Big Data Visualization [01] : Scam Events Analytics
Dashboard for Monitoring Scam Events in Critical Infrastructure
In this article, I will introduce the Scam Events Dashboard (angular plugin) developed for SIEM big data analytics.
Project Design Purpose:
In a Security Information and Event Management (SIEM) system, effective monitoring and visualization of scam events is crucial to detecting and responding to cyberattacks. Cybercriminals often use deceptive methods to exploit individuals or organizations, aiming to steal sensitive information, financial assets, or disrupt operations. This project seeks to develop a web plugin dashboard to help cybersecurity researchers and managers better understand the scope and impact of scam-related cyberattacks targeting critical infrastructure sectors such as Government Services, InfoComm, Manufacturing, Energy, Transportation, Healthcare, Security and Emergency Services, and Banking and Finance. By enabling real-time visualization of attack patterns, the dashboard will assist organizations in identifying trends, spotting anomalies, improving cybersecurity strategies, and making informed, data-driven decisions.
For the plugin demo, please refer to this video:
# Version: v0.0.1
# Created: 2024/10/01
# Copyright: Copyright (c) 2024 LiuYuancheng
# License: MIT License
Introduction
This project aims to develop a dashboard that visualizes large datasets of scam threat events sourced from publicly available cybersecurity datasets. The dashboard will be an essential tool for cybersecurity researchers and managers, allowing them to analyze and understand scam incidents targeting critical infrastructure. By offering real-time visualization, it will help organizations gain insights into attack patterns, trends, and sector-specific vulnerabilities.
The dashboard will feature several key components: an event count timeline panel, a scam event world heatmap, sector-specific line charts displaying various scam threat types, and a pop-up information dialog for in-depth event breakdowns and graphical analysis.
The project is divided into two main sections: Front-End Web Host and Back-End Database Balancer.
This integrated system will provide a powerful and user-friendly platform to monitor and analyze scam threats, helping to enhance cybersecurity strategies and decision-making for critical infrastructure protection.
Dashboard Main UI View
The plug-in dashboard layout is designed to offer an intuitive and data-driven experience, providing cybersecurity professionals with real-time insights into scam activities and their impact on critical infrastructure. A preview of the Dashboard Webpage is shown below:
The dashboard consists of five key sections, designed to provide a comprehensive view of scam threat data:
Scam Data Source
To gather scam event data, you can build your own database by utilizing various sources such as Incident Reports, Threat Intelligence Feeds, Security Bulletins, Historical Cyberattack Data (e.g., ransomware, phishing), as well as User/Employee Reports of Suspicious Activities, and Industry-Specific Security Audits and Assessments. Additionally, there are several free resources that provide valuable datasets for scam event research, analysis, and visualization:
These data sources provide a solid foundation for scam event tracking and analysis, enabling organizations to better monitor and understand cyber threats across critical infrastructure sectors.
System/Program Design
The system is designed as an Angular plugin, programmed using TypeScript, with a back-end database balancer implemented in GraphQL and JavaScript. The back-end uses a Druid database cluster to manage and process data, alongside a data fetch module that integrates with various APIs to continuously pull scam event data from different sources. The system is flexible, allowing users to modify the data-fetching process and incorporate data from multiple sources.
The dashboard data visualization workflow is as follows:
The dashboard contents 3 main parts: Main Scam Event Analytics Dashboard, Scam Event Breakdown Information Pop-Up Window and Scam Source-Destination Relationship Graph display.
Main Scam Event Analytics Dashboard
The Main Scam Analytics Dashboard provides an overview of scam events across various critical infrastructure sectors. The interface contains several key elements:
The Main Scam Analytics Dashboard is shown below:
Scam Event Breakdown Information Pop-Up Window
When a user clicks on any of the 16 sector-specific trend charts, a detailed breakdown of scam events is presented in a pop-up window, as shown below:
The breakdown includes four types of information for the selected sector:
Scam Source-Destination Relationship Graph
The Scam Source-Destination Relationship Graph provides a visual representation of the connections between scam event sources and their respective targets. Built using Cytoscape, this graph displays the flow of scam events between entities, highlighting the number of events and the type of scams involved.
The panel also includes a filter function, allowing users to customize the graph based on the number of scam threat events or other criteria. The graph is illustrated below:
This relationship graph helps users analyze the source and target sectors, scam types, and event volumes to gain deeper insights into scam activities affecting critical infrastructure sectors.
This dashboard offers a robust visualization tool to monitor, analyze, and explore scam events, providing a powerful aid in managing cybersecurity threats across various sectors.
Back-End Data Query Design
The back-end query design leverages Druid for efficient data retrieval and processing of scam events. These queries are used to fetch, group, and filter data, providing actionable insights for visualization in the dashboard. Below are the key query designs for country code lookups, campaign breakdowns, and sector graphs.
1. Country Code Lookup Query
To ensure accurate geographic representation of scam events, we perform a country code lookup for all IP addresses. This helps categorize threats based on their origin and provides data for geographic heatmaps.
领英推荐
1.1 Query to retrieve IP country codes: This query finds all destination node IDs along with their respective country codes from the dataset:
SELECT dstNodeId, dstCountry
FROM "ds-findings-scam-url-ioc-2019"
GROUP BY dstNodeId, dstCountry
1.2 Query using country code lookup: This query filters results by a specific country (e.g., Singapore, "SG") and groups by the originating sector (srcSector). It counts the number of threats per sector, allowing us to see which sectors are being targeted:
SELECT srcSector, count(*) AS threatCount
FROM "ds-findings-scams-matched-results"
WHERE lookup(dstNodeId, 'lookup-ip-country') = 'SG'
GROUP BY srcSector
2. Campaign Breakdown Query
To track the volume and timing of scam events, we can break down threat activity by time intervals, providing data for time-series visualizations such as timelines or trend charts.
2.1 Hourly campaign breakdown: This query groups the data by hourly time intervals and counts the number of scam threats detected per hour, filtered by the country code:
SELECT DATE_TRUNC('hour', __time), count(*) AS threatCount
FROM "ds-findings-scams-matched-results"
WHERE lookup(dstNodeId, 'lookup-ip-country') = 'SG'
GROUP BY DATE_TRUNC('hour', __time)
3. Sector Graph Data Queries
These queries help build the source-destination relationship graph for scam events. They provide a detailed view of how scams propagate between source enterprises and destination nodes, grouped by sector and country.
3.1 Query to create edges for sector graph: This query retrieves connections between the source (srcEnterpriseId) and destination nodes (dstNodeId), grouping by sectors such as "INFOCOMM" and filtering by country:
SELECT dstNodeId, srcEnterpriseId, srcNodeId, lookup(dstNodeId, 'lookup-ip-country')
FROM "ds-findings-scams-matched-results"
WHERE srcSector = 'INFOCOMM'
GROUP BY dstNodeId, srcEnterpriseId, srcNodeId, lookup(dstNodeId, 'lookup-ip-country')
3.2 Query to create nodes for scam graph with country information: This query generates nodes for the scam event graph, showing the relationship between the source (srcEnterpriseId), destination node, and the respective country. It also provides a threat count for each connection:
SELECT dstNodeId, srcEnterpriseId, srcNodeId, lookup(dstNodeId, 'lookup-ip-country'), count(*) AS threatCount
FROM "ds-findings-scams-matched-results"
WHERE lookup(dstNodeId, 'lookup-ip-country') = 'SG'
GROUP BY dstNodeId, srcEnterpriseId, srcNodeId
These optimized queries ensure efficient data retrieval and processing for scam event visualization, supporting the front-end dashboard with actionable and interactive insights into threat activity across critical infrastructure sectors.
Components Panel Design
This design defines five key component panels used to create the dashboard webpage, providing users with a detailed and interactive way to visualize scam threats across various critical infrastructure sectors. Below are the descriptions of each component panel and its functionality.
1. Scam Threat Events Timeline Chart Panel
This panel displays the total number of scam threats over time, allowing users to observe trends and patterns. Events are sorted chronologically by timestamp (e.g., daily or hourly), providing a clear view of when scam activities spike or decrease. This timeline chart is especially useful for tracking the frequency of scam threats over a specific period.(As shown below)
2. Event Source Heatmap
The World Heatmap visually represents the geographical origins of scam threats by mapping the scam event count based on attacker locations. Each country is color-coded based on the intensity of scam activity originating from that region. This heatmap helps identify regions with high scam activity, allowing analysts to focus on specific threat sources globally.
3. Scam Destination Sector History Timeline Chart Panel
This panel shows scam events targeting various sectors over time. Each sector’s historical data is displayed as a timeline chart, with an overlay of comparison summary results to visualize how different sectors are being impacted by scams. Users can compare scam activity across multiple sectors simultaneously, providing insights into sector-specific vulnerability trends.
4. Scam Breakdown Pop-Up Dialog Window
When users click on a sector chart, a detailed breakdown dialog window appears. This pop-up displays:
This pop-up allows for a deeper analysis of individual scam events and their characteristics.
5. Scam Source-Destination Relationship Graph
This cytoscape graph displays the relationships between scam sources and their targets. The graph visualizes how scam events propagate between various entities, such as enterprises or subscribers, and shows the flow of threats between source and destination nodes. It also includes a filter function that enables users to rebuild the graph based on scam event counts, making it easier to focus on high-priority events or regions.
These components provide a comprehensive set of tools for scam event visualization, enabling cybersecurity professionals to explore the data from different perspectives—whether it's by time, geography, or sector-specific trends. The interactive design makes it easy to drill down into detailed scam event data for a more informed analysis.
Program Setup and Usage
This section outlines the program file structure, environment setup, and steps for executing the Scam Event Dashboard. Follow these instructions to correctly configure and run the system.
Copy the file to your angular project:
Program Usage/Execution
Copy Files to Appropriate Directories
Access the Webpage: you can directly access the dashboard at: https://localhost:4200/#/scam
Project GitHub Repo Link : https://github.com/LiuYuancheng/Scam_Event_Dashboard
Reference
Thanks for spending time to check the article detail, if you have any question and suggestion or find any program bug, please feel free to message me. Many thanks if you can give some comments and share any of the improvement advice so we can make our work better ~
Senior OT/ICS & Cybersecurity Consultant
3 周I found your content very interesting and technical. Is this is part of research and development?
Cybersecurity Infrastructure Engineer @ NUS | Digital Forensics Trainer | Cloud, Network, and Security
3 周Very informative blog!
Senior OT/ICS & Cybersecurity Consultant
3 周Great advice